<!DOCTYPE HTML>
<html lang="en-CA">

<!-- Begin mPulse library -->
<script>
	(function(){
		// Boomerang Loader Snippet version 10
		if (window.BOOMR && (window.BOOMR.version || window.BOOMR.snippetExecuted)) {
			return;
		}

		window.BOOMR = window.BOOMR || {};
		window.BOOMR.snippetExecuted = true;

		var dom, doc, where, iframe = document.createElement("iframe"), win = window;

		function boomerangSaveLoadTime(e) {
			win.BOOMR_onload = (e && e.timeStamp) || new Date().getTime();
		}

		if (win.addEventListener) {

			win.addEventListener("load", boomerangSaveLoadTime, false);

		} else if (win.attachEvent) {
			win.attachEvent("onload", boomerangSaveLoadTime);
		}

		iframe.src = "javascript:void(0)";
		iframe.title = "";
		iframe.role = "presentation";
		(iframe.frameElement || iframe).style.cssText = "width:0;height:0;border:0;display:none;";
		where = document.getElementsByTagName("script")[0];
		where.parentNode.insertBefore(iframe, where);

		try {
			doc = iframe.contentWindow.document;

		} catch (e) {

			dom = document.domain;
			iframe.src = "javascript:var d=document.open();d.domain='" + dom + "';void(0);";
			doc = iframe.contentWindow.document;
		}

		doc.open()._l = function() {

			var js = this.createElement("script");

			if (dom) {
				this.domain = dom;
			}

			js.id = "boomr-if-as";

			js.src = "https://s.go-mpulse.net/boomerang/" + "TU3LW-WPX5W-YK52N-GNWRK-Z5B9X";
			BOOMR_lstart = new Date().getTime();
			this.body.appendChild(js);
		};
		doc.write('<bo' + 'dy onload="document._l();">');
		doc.close();
	})();
</script>
<!-- END mPulse library -->

   	
	
	

	<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery.min.js"></script>
	<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/utils.min.js"></script>

	<script type="text/javascript">
		if (typeof Granite !== "undefined" && Granite.I18n){
			Granite.I18n.setLocale("en_ca" || "en");
		}
	</script>
	
    <head>
    
    
    
    
    <meta charset="UTF-8"/>
    <meta name="viewport" content="width=device-width"/>
	<meta name="description"/>
	<meta name="robots" content="index,follow"/>
	<meta name="keywords" content="articles, news, reports,malware,research"/>
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
	<meta name="template" content="article1withouthero"/>
    <meta property="article:published_time" content="2020-11-24"/>
    <meta property="article:tag" content="malware"/>
    <meta property="article:section" content="research"/>
    
    <link rel="icon" type="image/ico" href="/content/dam/trendmicro/favicon.ico"/>
	<link rel="canonical" href="https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html"/>

    <title>Analysis of Kinsing Malwares Use of Rootkit</title>
			 
    

    <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600" rel="stylesheet"/>
<link href="//customer.cludo.com/css/296/1798/cludo-search.min.css" type="text/css" rel="stylesheet"/>



    
    
    

    
    
    
    
<link rel="stylesheet" href="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch.min.css" type="text/css">



    

    

    <script src="//tags.tiqcdn.com/utag/trendmicro/nabucms/prod/utag.sync.js"></script>
	<meta property="og:url" content="https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html"/>
<meta property="og:title" content="Analysis of Kinsing Malwares Use of Rootkit"/>
<meta property="og:site_name" content="Trend Micro"/>
<meta property="og:image" content="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit/Analysis-Kinsing-Rootkit-641.jpg"/>
<meta property="og:locale" content="en_CA"/>

	<meta name="twitter:card" content="summary_large_image"/>
<meta name="twitter:site" content="@TrendMicro"/>
<meta name="twitter:title" content="Analysis of Kinsing Malwares Use of Rootkit"/>
<meta name="twitter:image" content="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit/Analysis-Kinsing-Rootkit-641.jpg"/>

</head>
    
    <body class="articlepage page basicpage context-business">
		<!-- Page Scroll: Back to Top -->
		<a id="page-scroll" title="VerticalPageScroll" href="javascript:jumpScroll($(this).scrollTop());">
			<span class="icon-chevron-up"></span>
		</a>

        
                      
     		<!-- /* Data Layer */ -->
			<script type="text/javascript">
				var utag_data = {"customer_cookie_type":"business","language_code":"en_ca","page_name":"research/20/k/analysis-of-kinsing-malwares-use-of-rootkit/en_ca","category_id":"en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit","page_type":"unknown","site_section":"research","post_author":"Jaromir Horejsi|Threat Researcher,David Fiser|Threat Researcher","post_date":"2020-11-24"};
			</script>

			<script type="text/javascript">(function(a,b,c,d){a='//tags.tiqcdn.com/utag/trendmicro/nabucms/prod/utag.js';b=document;c='script';d=b.createElement(c);d.src=a;d.type='text/java'+c;d.async=true;a=b.getElementsByTagName(c)[0];a.parentNode.insertBefore(d,a);})();</script>

            



            
<div class="header globalHeaderV2">

<div class="disruptorPanel">

<div class="disruptor-panel__alert">

	<div class="inner-container">
		<button class="sliding-dismiss-button">
			<span class="button-text">dismiss</span>
			<span class="icon-close"></span>
		</button>
	</div>
</div>
</div>
<div class="main-header new-main-header">
	<!-- Nav Sticky Wrapper -->
	<div class="nav-sticky-wrapper">
		<!-- Top Bar -->
		<div class="top-bar hidden-xs hidden-sm">
			<div class="inner-container">
				<div class="utility-col">
					<div class="utilityMenu utilityMenu-desktop"><nav class="utilityMenu__wrapper">

	<div class="dropdown utilityAlerts ">
	<button class="menu-button" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
		<span class="hidden menu-button__alert-count"></span>
		<span class="menu-button__icon icon-alert"></span>
		<span class="menu-button__text">Alerts</span>
	</button>
	<ul class="hidden dropdown-menu alerts-container ">
	</ul>

<ul class="dropdown-menu no-alerts"><li>No new notifications at this time.</li></ul>

</div>

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown hidden-xs ">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-download"></span>
				<span class="menu-button__text">Download</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li>
							<a href="/en_ca/business/products/downloads.html?#t3">
								
								Scan Engines
								
							</a>
						</li>
					
						<li>
							<a href="/en_ca/business/products/downloads.html?#t4">
								
								All Pattern Files
								
							</a>
						</li>
					
						<li>
							<a href="/en_ca/business/products/downloads.html">
								
								All Downloads
								
							</a>
						</li>
					
						<li class=" is-phone-number ">
							<a href="http://downloadcenter.trendmicro.com/index.php?clk=left_nav&clkval=rss_feed&regs=NABU" target="_blank" rel="noopener noreferrer" class="no-border ">
								
								Subscribe to Download Center RSS
								
							</a>
						</li>
					
				</ul>
			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-cart"></span>
				<span class="menu-button__text">Buy</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li class=" hidden-context-business ">
							<a href="http://store.trendmicro.com/store/tmamer/Content/pbPage.Home/pgm.4823570300/" target="_blank" rel="noopener noreferrer">
								
								Home Office Online Store
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://store.trendmicro.com/store/tmamer/html/pbPage.ManualRenew/ThemeID.7735600" target="_blank" rel="noopener noreferrer">
								
								Renew Online
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="/en_ca/forHome/products/free-tools.html" target="_blank" rel="noopener noreferrer" class="no-border ">
								
								Free Tools
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_ca/partners/find-a-partner.html">
								
								Find a Partner
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_ca/business/get-info-form.html">
								
								Contact Sales
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_ca/contact.html">
								
								Locations Worldwide
								
							</a>
						</li>
					
						<li class="dropdown-header hidden-context-home is-phone-number ">
							
								
								1-888-762-8736  (M-F 8am - 5pm CST)
								
							
						</li>
					
						<li class="dropdown-header hidden-context-home ">
							
								
								Small Business
								
							
						</li>
					
						<li class=" hidden-context-home ">
							<a href="http://buyonline.trendmicro.com/" target="_blank" rel="noopener noreferrer">
								
								Buy Online
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="http://renewonline.trendmicro.com/" target="_blank" rel="noopener noreferrer">
								
								Renew Online
								
							</a>
						</li>
					
				</ul>
			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown stretched-dropdown">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-region"></span>
				<span class="menu-button__text">Region</span>
			</button>
			



			

			
				<div class="dropdown-menu align-">
					<ul class="menu-column col-xs-12 col-sm-4 col-md-3">
						
							<li class="dropdown-header">
								
									
									The Americas
									
								
							</li>
						
							<li>
								<a href="/en_us.html">
									
									United States
									
								</a>
							</li>
						
							<li>
								<a href="/pt_br.html">
									
									Brasil
									
								</a>
							</li>
						
							<li>
								<a href="/en_ca.html">
									
									Canada
									
								</a>
							</li>
						
							<li>
								<a href="/es_mx.html" class="no-border ">
									
									México
									
								</a>
							</li>
						
							<li class="dropdown-header break-column-tablet">
								
									
									Asia Pacific
									
								
							</li>
						
							<li>
								<a href="/en_au.html">
									
									Australia
									
								</a>
							</li>
						
							<li>
								<a href="/en_hk.html">
									
									Hong Kong (English)
									
								</a>
							</li>
						
							<li>
								<a href="/zh_hk.html">
									
									香港 (中文) (Hong Kong) 
									
								</a>
							</li>
						
							<li>
								<a href="/en_in.html">
									
									भारत गणराज्य (India)
									
								</a>
							</li>
						
							<li>
								<a href="/in_id.html">
									
									Indonesia
									
								</a>
							</li>
						
							<li class=" break-column-desktop">
								<a href="/ja_jp.html">
									
									日本 (Japan)
									
								</a>
							</li>
						
							<li>
								<a href="/ko_kr/business.html">
									
									대한민국 (South Korea)
									
								</a>
							</li>
						
							<li>
								<a href="/en_my.html">
									
									Malaysia
									
								</a>
							</li>
						
							<li>
								<a href="/en_nz.html">
									
									New Zealand
									
								</a>
							</li>
						
							<li>
								<a href="/en_ph.html">
									
									Philippines
									
								</a>
							</li>
						
							<li>
								<a href="/en_sg.html">
									
									Singapore
									
								</a>
							</li>
						
							<li>
								<a href="/zh_tw.html">
									
									台灣 (Taiwan)
									
								</a>
							</li>
						
							<li>
								<a href="/th_th.html">
									
									 ประเทศไทย (Thailand)
									
								</a>
							</li>
						
							<li>
								<a href="/vi_vn.html" class="no-border ">
									
									Việt Nam
									
								</a>
							</li>
						
							<li class="dropdown-header break-column-desktop break-column-tablet">
								
									
									Europe
									
								
							</li>
						
							<li>
								<a href="/en_be.html">
									
									België (Belgium)
									
								</a>
							</li>
						
							<li>
								<a href="http://www.trendmicro.cz/">
									
									Česká Republika
									
								</a>
							</li>
						
							<li>
								<a href="/en_dk.html">
									
									Danmark
									
								</a>
							</li>
						
							<li>
								<a href="/de_de.html">
									
									Deutschland, Österreich Schweiz
									
								</a>
							</li>
						
							<li>
								<a href="/es_es.html">
									
									España
									
								</a>
							</li>
						
							<li>
								<a href="/fr_fr.html">
									
									France
									
								</a>
							</li>
						
							<li>
								<a href="/en_ie.html">
									
									Ireland
									
								</a>
							</li>
						
							<li>
								<a href="/it_it.html">
									
									Italia
									
								</a>
							</li>
						
							<li>
								<a href="/en_nl.html">
									
									Nederland
									
								</a>
							</li>
						
							<li class=" break-column-desktop">
								<a href="/en_no.html">
									
									Norge (Norway)
									
								</a>
							</li>
						
							<li>
								<a href="/pl_pl.html">
									
									Polska (Poland)
									
								</a>
							</li>
						
							<li>
								<a href="/ru_ru.html">
									
									Россия (Russia)
									
								</a>
							</li>
						
							<li>
								<a href="/en_fi.html">
									
									Suomi (Finland)
									
								</a>
							</li>
						
							<li>
								<a href="/en_se.html">
									
									Sverige (Sweden)
									
								</a>
							</li>
						
							<li>
								<a href="/tr_tr.html">
									
									Türkiye (Turkey)
									
								</a>
							</li>
						
							<li>
								<a href="/en_gb.html" class="no-border ">
									
									United Kingdom
									
								</a>
							</li>
						
							<li class="dropdown-header break-column-desktop break-column-tablet">
								
									
									Middle East &amp; Africa
									
								
							</li>
						
							<li>
								<a href="/en_me/forHome.html" class=" country-pricing-cookie" data-country-pricing-cookie="ar_EG-EGP">
									
									Egypt
									
								</a>
							</li>
						
							<li>
								<a href="/en_il/forHome.html">
									
									Israel
									
								</a>
							</li>
						
							<li>
								<a href="/en_me/forHome.html" class=" country-pricing-cookie" data-country-pricing-cookie="ar_KW-KWD">
									
									Kuwait
									
								</a>
							</li>
						
							<li>
								<a href="/en_me/forHome.html" class=" country-pricing-cookie" data-country-pricing-cookie="ar_OM-OMR">
									
									Oman
									
								</a>
							</li>
						
							<li>
								<a href="/en_me/forHome.html" class=" country-pricing-cookie" data-country-pricing-cookie="ar_SA-SAR">
									
									Saudi Arabia
									
								</a>
							</li>
						
							<li>
								<a href="/en_za.html">
									
									South Africa
									
								</a>
							</li>
						
							<li>
								<a href="/en_ae.html">
									
									UAE
									
								</a>
							</li>
						
							<li>
								<a href="/en_me/forHome.html" class=" country-pricing-cookie" data-country-pricing-cookie="en_US-USD">
									
									Rest of MEA
									
								</a>
							</li>
						
					</ul>
				</div>
			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-login"></span>
				<span class="menu-button__text">Log In</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li class=" hidden-context-home ">
							<a href="https://success.trendmicro.com/sign-in" target="_blank" rel="noopener noreferrer">
								
								My Support
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://esupport.trendmicro.com/en-us/home/pages/resources.aspx" target="_blank" rel="noopener noreferrer" class="no-border ">
								
								Log In to Support
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://community-trendmicro.force.com/Partner" target="_blank" rel="noopener noreferrer">
								
								Partner Portal
								
							</a>
						</li>
					
						
					
						
					
						<li class="dropdown-header hidden-context-business ">
							
								
								Home Solutions
								
							
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://www.trendsecure.com/my_account/signin/login" target="_blank" rel="noopener noreferrer">
								
								My Account
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://www.trendmicro.com/ilostmyandroid" target="_blank" rel="noopener noreferrer">
								
								Lost Device Portal
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://www.trendsecure.com/report_stolen/locker/report" target="_blank" rel="noopener noreferrer">
								
								Trend Micro Vault
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://pwm.trendmicro.com/" target="_blank" rel="noopener noreferrer">
								
								Password Manager
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://clp.trendmicro.com/" target="_blank" rel="noopener noreferrer">
								
								Customer Licensing Portal
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://esupport.trendmicro.com/oct" target="_blank" rel="noopener noreferrer">
								
								Online Case Tracking
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://success.trendmicro.com/sign-in" target="_blank" rel="noopener noreferrer">
								
								Premium Support
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://sso.trendmicro.com/sso/form/authenticate.aspx" target="_blank" rel="noopener noreferrer">
								
								Worry-Free Business Security Services
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://tm.login.trendmicro.com/authenticate/api/false/tmrm" target="_blank" rel="noopener noreferrer">
								
								Remote Manager
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://cloudone.trendmicro.com/" target="_blank" rel="noopener noreferrer">
								
								Cloud One
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://signup.cj.com/member/signup/publisher/?cid=1157059" target="_blank" rel="noopener noreferrer" class="no-border ">
								
								Referral Affiliate
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://signup.cj.com/member/signup/publisher/?cid=1867119#/branded?_k=xaeu3t" target="_blank" rel="noopener noreferrer">
								
								Referral Affiliate
								
							</a>
						</li>
					
				</ul>
			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			
			<a class="utility-menu-button-link" href="/en_ca/business/products/trials.html">
				<span class="menu-button__icon icon-free-trial"></span>
				<span class="menu-button__text">Free trials</span>
			</a>



			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			<button class="menu-button desktop-text button-red" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-contact"></span>
				<span class="menu-button__text">Contact Us</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li class=" hidden-context-home ">
							<a href="https://www.trendmicro.com/en_us/business/get-info-form.html">
								
								Contact Sales
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_ca/contact.html">
								
								Locations
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://success.trendmicro.com/technical-support">
								
								Support
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_ca/partners/find-a-partner.html">
								
								Find a Partner
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_ca/about/events.html">
								
								Learn of upcoming events
								
							</a>
						</li>
					
						<li class="dropdown-header hidden-context-home ">
							
								
								Social Media Networks
								
							
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.facebook.com/TrendMicro/">
								
								Facebook
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://twitter.com/trendmicro">
								
								Twitter
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.linkedin.com/company/trend-micro/">
								
								Linkedin
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.youtube.com/user/TrendMicroInc">
								
								Youtube
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.instagram.com/trendmicro/">
								
								Instagram
								
							</a>
						</li>
					
						<li class="dropdown-header is-phone-number ">
							
								
								1-888-762-8736 (M-F 8-5 CST)
								
							
						</li>
					
				</ul>
			

			
		</div>
	

	<div class="dropdown utility-dropdown-search hidden-sm hidden-md hidden-lg">
		<button class="menu-button utility-search-button" type="button">
			<span class="menu-button__icon icon-search-thin"></span>
		</button>
	</div>
</nav>

</div>
				</div>
			</div>
		</div>
		<!-- Bottom Bar -->
		<div class="bottom-bar">
			<div class="inner-container">
				<nav class="mainNavMenu"><!--  Inner Container -->
<div class="inner-container">
	<!--  Logo Toggle Col -->
	<div class="logo-toggle-col">
		<div class="newlogo logo"><a href="/en_ca/business.html">
	<img class="hidden-xs" src="/content/dam/trendmicro/global/en/global/logo/logo-desktop.png" alt="Trend Micro Security"/>
	<img class="hidden-sm hidden-md hidden-lg" src="/content/dam/trendmicro/global/en/global/logo/logo-desktop.png" alt="Trend Micro Security"/>
</a>


</div>
		<div class="toggle">
	<div class="toggle-button active">
		<a href="/en_ca/business.html" data-businesscontext="true">
			Business&nbsp;
			<span class="icon-chevron-right hidden-xs"></span>
		</a>
	</div>
	<div class="toggle-button">
		<a href="/en_ca/forHome.html" data-businesscontext="false">
			For Home&nbsp;
			<span class="icon-chevron-right hidden-xs"></span>
		</a>
	</div>

</div>
		<div class="mobile-right-controls hidden visible-xs visible-sm">
			<a href="#newnavmenu-mobile" class="menu-link toggle-newnavmenu-mobile collapsed" data-toggle="collapse">
				<div class="menu-icon">
					<div class="center-bar"></div>
				</div>
			</a>
			<div class="search-mobile toggle-search-mobile collapsed" data-target="#search-mobile-wrapper" data-toggle="collapse">
				<span class="icon-search"></span>
			</div>
		</div>
	</div>
	<!--  Nav Wrapper -->
	<div class="nav-wrapper collapse to-right dont-collapse-flex-md" id="newnavmenu-mobile">
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Products
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-0" aria-haspopup="true" aria-expanded="false">
						Products
					</button>
					<div class="dropdown-menu" id="nav-dropdown-0">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-5031d266-9b02-42d7-b165-11f1ce86f95a {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-5031d266-9b02-42d7-b165-11f1ce86f95a">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align-full show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-hcs" href="/en_ca/business/products/hybrid-cloud.html">Hybrid Cloud Security</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-workload-security" href="/en_ca/business/products/hybrid-cloud/cloud-one-workload-security.html">
	Workload Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-conformity" href="/en_ca/business/products/hybrid-cloud/cloud-one-conformity.html">
	Conformity
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-container-security" href="/en_ca/business/products/hybrid-cloud/cloud-one-container-image-security.html">
	Container Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-file-storage-security" href="/en_ca/business/products/hybrid-cloud/cloud-one-file-storage-security.html">
	File Storage Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-application-security" href="/en_ca/business/products/hybrid-cloud/cloud-one-application-security.html">
	Application Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-network-security" href="/en_ca/business/products/hybrid-cloud/cloud-one-network-security.html">
	Network Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-open-source" href="/en_ca/business/products/hybrid-cloud/cloud-one-open-source-security-by-snyk.html">
	Open Source Security
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-network-security" href="/en_ca/business/products/network.html">Network Security</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-" id="b-nav-products-network-intrusion-prevention" href="/en_ca/business/products/network/intrusion-prevention.html">
	Intrusion Prevention
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-products-network-advanced-threat-protection" href="/en_ca/business/products/network/advanced-threat-protection.html">
	Advanced Threat Protection
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-industrial-network-security" href="/en_ca/business/products/iot/industrial-network-security.html">
	Industrial Network Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-mobile-network-security" href="/en_ca/business/products/iot/mobile-network-security.html">
	Mobile Network Security
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-user-protection" href="/en_ca/business/products/user-protection.html">User Protection</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-" id="b-nav-products-up-endpoint-security" href="/en_ca/business/products/user-protection/sps/endpoint.html">
	Endpoint Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-products-up-email-security" href="/en_ca/business/products/user-protection/sps/email-and-collaboration.html">
	Email Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-up-mobile-security" href="/en_ca/business/products/user-protection/sps/mobile-security-enterprise.html">
	Mobile Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-products-up-web-security" href="/en_ca/business/products/user-protection/sps/web-security.html">
	Web Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-up-industrial-endpoint" href="/en_ca/business/products/iot/industrial-endpoint-security.html">
	Industrial Endpoint
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-detection-response" href="/en_ca/business/products/detection-response.html">Detection &amp; Response</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-detection-response-xdr" href="/en_ca/business/products/detection-response/xdr.html">
	XDR
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-detection-response-zero-trust" href="/en_ca/business/products/detection-response/zero-trust.html">
	Zero Trust Risk Insights
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Powered by</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-key-products-machine-learning" href="/content/trendmicro/en_ca/business/technologies/machine-learning">
	AI/Machine Learning
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-key-products-global-threat-intelligence" href="/en_ca/business/technologies/smart-protection-network.html">
	Global Threat Intelligence
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-products-key-connected-threat-defense" href="/en_ca/business/technologies/connected-threat-defense.html">
	Connected Threat Defense
	
</a>

</div>

</div>
	</div>
</div>

</div>
<div class="navCategory section">
<div class="white center-align  columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-all-products" href="/en_ca/business/products.html">All Products &amp; Trials</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-all-solutions" href="/en_ca/business/products/all-solutions.html">All Solutions</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-service-packages" href="/en_ca/business/services/service-one.html">Service Packages</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-small-business" href="/en_ca/small-business/worry-free-services-advanced.html">Small &amp; Midsize Business Security</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Solutions
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-1" aria-haspopup="true" aria-expanded="false">
						Solutions
					</button>
					<div class="dropdown-menu" id="nav-dropdown-1">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-831bc81a-84e2-4bde-b387-5d1efd4dba67 {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-831bc81a-84e2-4bde-b387-5d1efd4dba67">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="gray left-align-full show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-solutions-cloud" href="/en_ca/business/capabilities/solutions-for/cloud.html">For Cloud</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-hcs-cloud-migration" href="/en_ca/business/products/hybrid-cloud/cloud-migration-security.html">
	Cloud Migration
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-hcs-cloud-native-app-dev" href="/en_ca/business/products/hybrid-cloud/cloud-native-application-development.html">
	Cloud-Native App Development
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-hcs-cloud-op-excellence" href="/en_ca/business/products/hybrid-cloud/cloud-operational-excellence.html">
	Cloud Operational Excellence
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-hcs-data-center-security" href="/en_ca/business/products/hybrid-cloud/security-data-center-virtualization.html">
	Data Center Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-saas-apps" href="/en_ca/business/capabilities/solutions-for/cloud.html">
	SaaS Applications
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red">Internet of Things (IoT)</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-smart-factory" href="/en_ca/business/solutions/iot/smart-factory.html">
	Smart Factory
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-connected-car" href="/en_ca/business/solutions/iot/connected-car.html">
	Connected Car
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-5g-enterprise" href="/en_ca/business/solutions/iot/enterprise-5g-iot.html">
	5G Security for Enterprises
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-solutions-risk">Risk Management</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-ransomware" href="/en_ca/business/capabilities/solutions-for/ransomware.html">
	Ransomware
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-end-support-systems" href="/en_ca/business/capabilities/solutions-for/end-of-support-systems.html">
	End-of-Support Systems
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-compliance" href="/en_ca/business/capabilities/solutions-for/compliance.html">
	Compliance
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-detection-response" href="/en_ca/business/products/detection-response.html">
	Detection and Response
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-solutions-industries">Industries</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-healthcare" href="/en_ca/business/capabilities/solutions-for/healthcare.html">
	Healthcare
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-manufacturing" href="/en_ca/business/solutions/iot/smart-factory.html">
	Manufacturing
	
</a>

</div>
<div class="ghost section">

</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Why Trend Micro
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-2" aria-haspopup="true" aria-expanded="false">
						Why Trend Micro
					</button>
					<div class="dropdown-menu" id="nav-dropdown-2">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-7f73ab92-cec7-46b2-9ea9-d616bef52ee5 {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-7f73ab92-cec7-46b2-9ea9-d616bef52ee5">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-why-trend" href="/en_ca/about/why-trend-micro.html">The Trend Micro Difference</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-e5a7560a-0d51-4742-8bb0-55904fec6615">
	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-why-customer-successes" href="/en_ca/about/customer-stories.html">
	Customer Successes
	
</a>

</div>

</div>

	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-why-strategic-alliances" href="/en_ca/partners/explore-alliance-partners.html">
	Strategic Alliances
	
</a>

</div>

</div>

	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-why-industry-leadership" href="/en_ca/about/awards.html">
	Industry Leadership
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Research
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-3" aria-haspopup="true" aria-expanded="false">
						Research
					</button>
					<div class="dropdown-menu" id="nav-dropdown-3">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-897b917f-5a33-409b-903f-35876f527972 {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-897b917f-5a33-409b-903f-35876f527972">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="gray left-align-full show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Research</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-e6761f52-d552-4d56-8fb8-fea095837b9c">
	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-about" href="/en_ca/about/threat-research.html">
	About Our Research
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-analysis" href="https://www.trendmicro.com/vinfo/us/security/research-and-analysis/">
	Research and Analysis
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-news-perspectives" href="/en_ca/research.html">
	Research, News and Perspectives
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-sec-reports" href="https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports">
	Security Reports
	
</a>

</div>

</div>

	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-security-news" href="http://www.trendmicro.com/vinfo/us/security/news/" rel="noopener noreferrer" target="_blank">
	Security News
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-research-zero-day-initiative" href="https://www.zerodayinitiative.com/about/" rel="noopener noreferrer" target="_blank">
	Zero Day Initiative (ZDI)
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-simply-security-blog" href="/en_ca/research.html">
	Blog
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Research by Topic</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-topics-vulnerabilities" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability">
	Vulnerabilities
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-topics-annual-predictions-21" href="https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2021">
	Annual Predictions
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-topics-deep-web" href="https://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/deep-web/">
	The Deep Web
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-topics-iot" href="https://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/internet-of-things/">
	Internet of Things (IoT)
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Resources</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-01903b8d-b492-4be3-bb52-9fdb09565348">
	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-devops" href="/en_ca/devops.html">
	DevOps Resource Center
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-ciso-center" href="/en_ca/ciso.html">
	CISO Resource Center
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-what-is" href="/en_ca/what-is.html">
	What is?
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-encyclopedia" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/">
	Threat Encyclopedia
	
</a>

</div>

</div>

	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-cloud-health" href="http://trendmicro.com/public-cloud-risk-assessment" rel="noopener noreferrer" target="_blank">
	Cloud Health Assessment
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-cyber-risk" href="/en_ca/security-intelligence/breaking-news/cyber-risk-index.html">
	Cyber Risk Assessment
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-enterprise-guide" href="https://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/security-strategies-for-enterprises">
	Enterprise Guides
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-glossary" href="https://www.trendmicro.com/vinfo/us/security/definition/a">
	Glossary of Terms
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>
<div class="featuredCampaign">
<div class="featured-campaign">
	<!--Media Container-->
	<div class="featured-campaign--media-container">
		<!--Featured Title-->
		<h5 class="featured-campaign--title title-color-red">Project 2030</h5>

		<!--Feature Image-->
		<figure class="featured-campaign--image-container">
			<a id="b-nav-research-promo-2030-9b270f-img" target="_blank" href="https://2030.trendmicro.com">
				<img src="/content/dam/trendmicro/global/en/global/navigation/project-2030-nav-banner.jpg" alt="Project 2030"/>
			</a>
		</figure>
	</div>
	<!--Text Container-->
	<div class="featured-campaign--text-container">
		<!--RTE-->
		<div class="featured-campaign--rich-text richText">


	<p>How will the world of cybersecurity evolve by 2030?</p>
<p>Let’s take a look at what the future holds. </p>


</div>

		<!--Featured Link-->
		<div class="featured-campaign--link">
			<a id="b-nav-research-promo-2030-9b270f" target="_blank" href="https://2030.trendmicro.com">
				Explore our expert video series
				<!--Link Icon (Chevron Right)-->
				<span class="icon-chevron-right"></span>
			</a>
		</div>
	</div>
</div>
</div>
</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Services &amp; Support
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-4" aria-haspopup="true" aria-expanded="false">
						Services &amp; Support
					</button>
					<div class="dropdown-menu" id="nav-dropdown-4">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-1431d123-6240-44ae-9b7f-f53e1107824c {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-1431d123-6240-44ae-9b7f-f53e1107824c">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align-content show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Services</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-services-service-one" href="/en_ca/business/services/service-one.html">
	Service Packages
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-services-managed-xdr" href="/en_ca/business/services/managed-xdr.html">
	Managed XDR
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-services-support-services" href="/en_ca/business/services/support-services.html">
	Support Services
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-support-business-support" href="https://success.trendmicro.com/business-support" rel="noopener noreferrer" target="_blank">Business Support</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-e6b44492-229f-4d07-8cbb-85a9c9ffbfce">
	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-log-in" href="https://success.trendmicro.com/sign-in" rel="noopener noreferrer" target="_blank">
	Log In to Support
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-tech-support" href="https://success.trendmicro.com/technical-support" rel="noopener noreferrer" target="_blank">
	Technical Support
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-virus-threat-help" href="https://success.trendmicro.com/virus-and-threat-help" rel="noopener noreferrer" target="_blank">
	Virus &amp; Threat Help
	
</a>

</div>

</div>

	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-" id="b-nav-support-renewals-registration" href="https://success.trendmicro.com/renewals-and-registration" rel="noopener noreferrer" target="_blank">
	Renewals &amp; Registration
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-education-certification" href="https://www.trendmicro.com/en_us/business/products/support-services/education.html" rel="noopener noreferrer" target="_blank">
	Education &amp; Certification
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-contact-support" href="https://success.trendmicro.com/contact-support-north-america" rel="noopener noreferrer" target="_blank">
	Contact Support
	
</a>

</div>

</div>

	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-downloads" href="/en_ca/business/products/downloads.html">
	Downloads
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-free-cleanup-tools" href="https://success.trendmicro.com/virus-and-threat-help#threat-removal" rel="noopener noreferrer" target="_blank">
	Free Cleanup Tools
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-find-support-partner" href="/en_ca/partners/find-a-partner.html">
	Find a Support Partner
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">For Popular Products</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-52dc4846-189e-4a68-8f1e-cb273624f233">
	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-" id="b-nav-support-deep-security" href="https://success.trendmicro.com/product-support/deep-security-10-0" rel="noopener noreferrer" target="_blank">
	Deep Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-apex-one" href="https://success.trendmicro.com/product-support/apex-one" rel="noopener noreferrer" target="_blank">
	Apex One
	
</a>

</div>

</div>

	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-worry-free" href="https://success.trendmicro.com/product-support/worry-free-business-security" rel="noopener noreferrer" target="_blank">
	Worry-Free
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-worry-free-renewals" href="http://renewonline.trendmicro.com/us/default.aspx" rel="noopener noreferrer" target="_blank">
	Worry-Free Renewals
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Partners
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-5" aria-haspopup="true" aria-expanded="false">
						Partners
					</button>
					<div class="dropdown-menu" id="nav-dropdown-5">
						<div class="responsiveColumnControl section">





<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-86ca4ccc-d6bf-4bc1-8864-f56f3523910b">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="gray left-align-content show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Channel Partners </a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-631023c2-ab1a-42e9-b222-302f93ac4970">
	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-overview" href="/en_ca/partners/channel-partners.html">
	Channel Partner Overview
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-managed" href="/en_ca/partners/channel-partners/managed-service-provider.html">
	Managed Service Provider
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-cloud" href="/en_ca/partners/channel-partners/cloud-service-provider.html">
	Cloud Service Provider
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-professional" href="/en_ca/partners/channel-partners/professional-services-partner.html">
	Professional Services
	
</a>

</div>

</div>

	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-resellers" href="/en_ca/partners/channel-partners/resellers.html">
	Resellers
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-marketplace" href="/en_ca/partners/channel-partners/marketplace.html">
	Marketplace
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-system" href="/en_ca/partners/channel-partners/systems-integrator.html">
	System Integrators
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Alliance Partners</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-alliance-overview" href="/en_ca/partners/alliance-partners.html">
	Alliance Overview
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-alliance-technical" href="/en_ca/partners/alliance-partners/technology.html">
	Technology Alliance Partners
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-alliance-explore" href="/en_ca/partners/alliance-partners/explore-alliance-partners.html">
	Our Alliance Partners
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Tools and Resources</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-92dcc45a-700f-4ebd-ada4-e8dce4194f11">
	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-find" href="/en_ca/partners/find-a-partner.html">
	Find a Partner
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-education" href="/en_ca/business/products/support-services/education.html">
	Education and Certification
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partner-tools-stories" href="/en_ca/partners/partner-stories.html">
	Partner Successes
	
</a>

</div>

</div>

	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-distributors" href="/en_ca/partners/distributors.html">
	Distributors
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-login" href="https://community-trendmicro.force.com/Partner" rel="noopener noreferrer" target="_blank">
	Partner Login
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Company
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-6" aria-haspopup="true" aria-expanded="false">
						Company
					</button>
					<div class="dropdown-menu" id="nav-dropdown-6">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-26c3f3b6-209b-4706-89fb-635e7696eb4f {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-26c3f3b6-209b-4706-89fb-635e7696eb4f">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-company-overview" href="/en_ca/about.html">Overview</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-ab2919e9-a695-482d-baaf-5cf5390973d8">
	<div class="col-sm-3 col-xs-12 col-md-3 column"><div class="navLink section">
<a class=" text-color-" id="b-nav-company-leadership" href="/en_ca/about/leaders.html">
	Leadership
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-customer-success" href="/en_ca/about/customer-stories.html">
	Customer Success Stories
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-alliance-partners" href="/en_ca/partners/alliance-partners.html">
	Strategic Alliances
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-industry-accolades" href="/en_ca/about/industry-recognition.html">
	Industry Accolades
	
</a>

</div>

</div>

	<div class="col-sm-3 col-xs-12 col-md-3 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-newsroom" href="https://www.trendmicro.com/newsroom" rel="noopener noreferrer" target="_blank">
	Newsroom
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-webinars" href="/en_ca/about/webinars.html">
	Webinars
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-events" href="/en_ca/about/events.html">
	Events
	
</a>

</div>

</div>

	<div class="col-sm-3 col-xs-12 col-md-3 column"><div class="navLink section">
<a class=" text-color-" id="b-nav-company-security-experts" href="/en_ca/about/leading-experts.html">
	Security Experts
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-careers" href="/en_ca/about/careers.html">
	Careers
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-history" href="/en_ca/about/history-vision-values.html">
	History
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-corp-social-responsibility" href="/en_ca/about/corporate-social-responsibility.html">
	Corporate Social Responsibility
	
</a>

</div>

</div>

	<div class="col-sm-3 col-xs-12 col-md-3 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-diversity-inclusion" href="/en_ca/about/diversity-inclusion.html">
	Diversity, Equity &amp; Inclusion
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-trust-center" href="/en_ca/about/trust-center.html">
	Trust Center
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-internet-safety-cyber-ed" href="/en_ca/initiative-education.html">
	Internet Safety and Cybersecurity Education
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-investors" href="/en_us/about/investor-relations.html">
	Investors
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-legal" href="/en_ca/about/legal.html">
	Legal
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
		
		<div class="dropdown search-dropdown">
			<button class="search-button hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="icon-search-thin"></span>
			</button>
			<div class="dropdown-menu utility-search-target">
				<script type="text/javascript" src="//customer.cludo.com/scripts/bundles/search-script.js"></script>
				<script type="text/javascript">
					var CludoSearch;
					var cludo_language = '';

					switch( window.utag_data.language_code )
					{
						// Cludo dropped the ball on this one
						case 'ja_jp':
							cludo_language = 'jp';
							break;
						case 'in_id':
							cludo_language = 'id';
							break;
						default:
							cludo_language = window.utag_data.language_code.substring( 0, 2 ); // First two letters are the language
							break;
					}

					$(document).ready( function() {
						var cludoSettings = {
							customerId: 296,
							engineId: 9137,
							searchUrl: "/en_ca/common/cse.html",
							searchInputs: ["cludo-search-form","cludo-search-form-mobile","cludo-search-content-form"],
							initSearchBoxText: "",
							language: cludo_language,
							endlessScroll: {stopAfterPage:3, resultsPerPage:10, bottomOffset: 145},
							translateSearchTemplates: true,
							loading: "<div class='loader'></div>"
						};

						CludoSearch= new Cludo(cludoSettings);

						CludoSearch.translateProvider.translations[cludo_language]["category_header"] = Granite.I18n.get( "Show" );
						CludoSearch.translateProvider.translations[cludo_language]["your_search_on"] = Granite.I18n.get( "Showing results for" ) + " <span class='highlight'>{{value}}</span> ";
						CludoSearch.translateProvider.translations[cludo_language]["total_results"] = "";
						CludoSearch.translateProvider.translations[cludo_language]["total_result"] = "";
						CludoSearch.translateProvider.translations[cludo_language]["in_category"] = "";
						CludoSearch.translateProvider.translations[cludo_language]["results"] = Granite.I18n.get( "results" );
						CludoSearch.translateProvider.translations[cludo_language]["sort_by"] = Granite.I18n.get( "Sort By" ) + ":";
						CludoSearch.translateProvider.translations[cludo_language]["date"] = Granite.I18n.get( "Date" );
						CludoSearch.translateProvider.translations[cludo_language]["relevance"] = Granite.I18n.get( "Relevance" );
						CludoSearch.translateProvider.translations[cludo_language]["all_results"] = Granite.I18n.get( "All results" );

						CludoSearch.init();
					});
				</script>
				<form class="main-menu-search" aria-label="Search Trend Micro">
					<div class="main-menu-search__field-wrapper" id="cludo-search-form">
						<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
							<tbody>
								<tr>
									<td class="gsc-input">
										<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro"/>
									</td>
								</tr>
							</tbody>
						</table>
					</div>
				</form>
				<button type="button" class="close" aria-label="Close"><span aria-hidden="true">&times;</span></button>
			</div>
		</div>
		<div class="utilityMenu utilityMenu-mobile hidden visible-xs visible-sm">
			<nav class="utilityMenu__wrapper" id="utilityMenu-mobile-wrapper"></nav>
			<div class="collapse-items-container"></div>
		</div>
	</div>
	<div class="search-mobile-wrapper collapse dont-collapse-flex-md hidden-md hidden-lg" id="search-mobile-wrapper">
		<form class="main-menu-search" aria-label="Search Trend Micro">
			<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
				<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
					<tbody>
						<tr>
							<td class="gsc-input">
								<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro"/>
							</td>
							<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
								<span class="icon-close"></span>
							</td>
						</tr>
					</tbody>
				</table>
			</div>
		</form>
	</div>
</div>

</nav>
			</div>
		</div>
		<!-- Sticky Nav -->
		<div class="stickyNav">


<div class="page-nav-wrapper">
	<div class="inner-wrapper">
		<!-- Sticky Nav - Article and Author Pages -->
		
    <!-- Page Properties Container -->
    <div class="page-properties-container">
        <div class="back-caret">
            <a href="https://www.trendmicro.com/en_ca/research.html">
                <span class="icon-chevron-left"></span>
            </a>
        </div>
        <div class="display-tag">
            
                <a href="https://www.trendmicro.com/en_ca/research.html?category=trend-micro-blogs:threats/malware">Malware</a>
            
        </div>
        
    </div>

    <!-- AddThis Container -->
    <div class="addthis_toolbox addthis_default_style">
        <a class="addthis_button_compact addthis_link" href="#">
            <img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/share-more.svg" class="addthis-icon" alt="Share"/>
        </a>
        <a class="addthis_button_print addthis_link" title="Print" href="#" tabindex="1000">
            <img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/printer.svg" class="addthis-icon" alt="Print"/>
        </a>
        <div class="atclear"></div>
    </div>

    <!-- Subscribe Container -->
    <div class="subscribe">
        <a class="bs-modal" title="Subscribe" href="https://www.trendmicro.com/subscription" data-modal-title="Subscribe" target="target">
            <span class="icon-subscribe"></span> <span class="text">Subscribe</span>
        </a>
    </div>

	</div>
</div>
</div>
	</div>
	<section class="folder-indicators slider">
		<div class="folder-indicators__wrapper">
			<p class="folder-indicators__title">Content added to Folio</p>
			<div class="folder-indicators__button-wrapper">
				<button class="folder-indicators__button counter" id="counter-folder">
					Folio (<span>0</span>)
				</button>
				<button class="folder-indicators__button close">close</button>
			</div>
		</div>
	</section>
</div>
</div>
<div class="root responsivegrid">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="articleBodyNoHero aem-GridColumn aem-GridColumn--default--12"><div class="research-layout article container" role="contentinfo">
    <article class="research-layout--wrapper row" data-article-pageID="2027797819">
        <div class="col-xs-12 col-md-12 one-column">
            <div class="col-xs-12 col-md-12">
                <div class="article-details" role="heading">
	<span class="article-details__bar" role="img"></span>
	<p class="article-details__display-tag">Malware</p>
	<h1 class="article-details__title">Analysis of Kinsing Malware&#39;s Use of Rootkit</h1>
	<p class="article-details__description">Several shell scripts accompany Kinsing. These shell scripts are responsible for downloading and installing, removing, and uninstalling various resource-intensive services and processes. This blog post focuses on the role of the rootkit component.</p>
	<p class="article-details__author-by">By: Jaromir Horejsi, David Fiser
		
			<time class="article-details__date">November 24, 2020</time>
		
		
		<span>Read time:&nbsp;</span><span class="eta"></span> (<span class="words"></span> words)
	</p>

	<div class="article-details__icons">
		<!--Add This-->
		<!-- Go to www.addthis.com/dashboard to customize your tools -->
<div class="addthis_toolbox addthis_default_style">
	<a class="addthis_button_compact addthis_link">
		<img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/share-more.svg" class="addthis-icon" alt="Share"/>
	</a>
	<a class="addthis_button_print addthis_link">
		<img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/printer.svg" class="addthis-icon" alt="Print"/>
	</a>
</div>

		<!--Add to Folio-->
		<div class="add-to-folio tooltip">
			<span class="icon-folio-thin"></span>
			<div class="right">
				<p>Save to Folio</p>
				<i></i>
			</div>
		</div>

		<!--Subscribe-->
		<div class="subscribe">
			<a class="bs-modal" href="https://www.trendmicro.com/subscription" title="Subscribe" data-modal-title="Subscribe" target="target">
				<span class="icon-subscribe"></span> <span class="text">Subscribe</span>
			</a>
		</div>
	</div>
</div>

            </div>
        </div>
		
		<hr class="research-layout-divider"/>

        <main class="main--content col-xs-12 col-md-8 col-md-push-2">
            <div>
	
    


	

</div>
            <div class="richText">
	
    


	
		<div>
			<p>We <a href="https://www.trendmicro.com/vinfo/tmr/?/us/security/news/virtualization-and-cloud/misconfigured-docker-daemon-api-ports-attacked-for-kinsing-malware-campaign">last discussed</a> the Kinsing malware in April 2020, when we analyzed the Golang-based Linux agent targeting misconfigured Docker Daemon API ports to drop cryptocurrency miners.</p>
<p>With the constant evolution of shell scripts and Linux based malicious backdoors and agents, it’s not surprising that the creators of Kinsing have kept in step. In this entry, we discuss the malware variant’s current capabilities, including the addition of features intended to make it more difficult to detect in infected machines. Similar to how the <a href="/en_ca/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html">Trident malware uses a rootkit</a> to hide the cryptocurrency mining payload, Kinsing also adapted the method integrating user-mode <a href="https://www.trendmicro.com/vinfo/tmr/?/us/security/definition/Rootkit">rootkit</a>s that use library preloading.  </p>
<p>Several shell scripts accompany the malware itself. These shell scripts are responsible for downloading and installing the Kinsing backdoor, miner, and rootkit, as well as removing and uninstalling various resource-intensive services and processes. These scripts are similar to those discussed in the entries mentioned above. This blog post will focus on the rootkit component.</p>
<h1><span class="body-subhead-title">Technology analysis</span></h1>
<p>The first step of the process involves the deployment of the shell script trying to remove the immutable file flag from <i><a href="https://manpages.debian.org/testing/manpages/ld.so.8.en.html" target="_blank">/etc/ld.so.preload</a></i><b> </b>if it exists. </p>

		</div>
	

</div>
            <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit/fig%201%20-%20kinsing11242020.png" alt="Removing the immutable file flag"/>
		
   		<figcaption>Figure 1. Removing the immutable file flag</figcaption>
	</figure>

</div>
            <div>




    
    
    <div class="richText">
	
    


	
		<div>
			<p>The<b> </b><i>/etc/ld.so.preload </i>file preloads a list of paths to shared objects or libraries that will be loaded into every user-mode process on startup before any other shared library — including the C runtime library (<i>libc.so</i>). By default, this file is not present inside Linux distributions; therefore, it has to be created on purpose.</p>
<p>Next, the downloader downloads the rootkit into <i>/etc/libsystem.so</i>, after which a new <i>/etc/ld.so.preload</i> is created. The link to the rootkit is then added to the <i>/etc/ld.so.preload</i> file. </p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit/fig%202%20-%20kinsing11242020.png" alt=" Downloading the rootkit and creating persistence"/>
		
   		<figcaption>Figure 2. Downloading the rootkit and creating persistence</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>Note that removing from or writing files into the <i>/etc/</i> directory is a privileged operation; therefore, it is highly recommended to follow the principle of least privilege and not run applications <a href="/en_ca/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html">or containers</a> under root permissions.</p>
<p>The Kinsing malware also works under lower privileges but without its advanced persistence and rootkit functions.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit/fig%203%20-%20kinsing11242020.png" alt="Setting up the persistence function"/>
		
   		<figcaption>Figure 3. Setting up the persistence function</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>User-level persistence of the downloaded Kinsing malware is achieved by registering it as the system service called “bot.”</p>
<p>Another level of persistence is achieved via cron, where the installation script is repeatedly downloaded and executed.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit/fig%204%20-%20kinsing11242020.png" alt="cron persistence"/>
		
   		<figcaption>Figure 4. The cron persistence</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<h1><span class="body-subhead-title">Rootkit analysis</span></h1>
<p>The rootkit contains the list of hidden literals and the list of non-hooked symbols (native functions that will be hooked, but they need their original addresses to be resolved and saved for later use). These lists are encrypted by a single-byte XOR.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit/fig%205%20-%20kinsing11242020.png" alt="Decryption algorithm used to obtain the names of hidden literals and hooked functions"/>
		
   		<figcaption>Figure 5. The decryption algorithm used to obtain the names of hidden literals and hooked functions</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>The functions hooked by the rootkit are as follows:</p>
<ul>
<li><span class="rte-red-bullet">access</span></li>
<li><span class="rte-red-bullet">rmdir</span></li>
<li><span class="rte-red-bullet">open</span></li>
<li><span class="rte-red-bullet">readdir</span></li>
<li><span class="rte-red-bullet">readdir64</span></li>
<li><span class="rte-red-bullet">stat</span></li>
<li><span class="rte-red-bullet">stat64</span></li>
<li><span class="rte-red-bullet">__xstat</span></li>
<li><span class="rte-red-bullet">__xstat64</span></li>
<li><span class="rte-red-bullet">lstat</span></li>
<li><span class="rte-red-bullet">lstat64</span></li>
<li><span class="rte-red-bullet">__lxstat</span></li>
<li><span class="rte-red-bullet">__lxstat64</span></li>
<li><span class="rte-red-bullet">fopen</span></li>
<li><span class="rte-red-bullet">fopen64</span></li>
<li><span class="rte-red-bullet">link</span></li>
<li><span class="rte-red-bullet">unlink</span></li>
<li><span class="rte-red-bullet">unlinkat</span></li>
</ul>
<p>The rootkit implements the following functions:</p>
<h2><span class="body-subhead-title">is_attacker</span></h2>
<p>This is used to determine if the attacker calls the process by checking the presence of the environment variable called SKL.</p>
<h2><span class="body-subhead-title">is_hidden_file</span></h2>
<p>If the file names are <i>kinsing </i>(backdoor &amp; worm process), <i>kdevtmpfsi </i>(cryptomining process), or lib_<i>system.so</i> (rootkit), it returns the code <i>EPERM = Operation not permitted</i>.</p>
<p>While looking into the /proc/ directory, the rootkit searches for the environment file in the directory of the process and variable SKL to decide if the said directory should be hidden or not.</p>
<h2><span class="body-subhead-title">hide_tcp_ports</span></h2>
<p>Used to parse files in <i style="">/proc/net/tcp</i>  or <i style="">/proc/net/tcp6</i>, which maintain the lists of the currently active TCP connections. It extracts remote IP addresses and compares them with hidden literals. If there is a match, information about the TCP connection is hidden from the listing.<br />
</p>
<h2><span class="body-subhead-title">readdir</span></h2>
<p>If the attacker executes the process (SKL environment variable is set for the process calling readdir function), then readdir works with no restrictions.<br />
</p>
<p>If the current directory is <i>/proc</i> and the process name is <i>kinsing</i> or <i>kdevtmpfsi</i>, the directory item is omitted from the directory listing. If it is '.' or a hidden file (<i>kinsing, kdevtmpfsi,  lib_system.so</i>), then it omits these files.</p>
<p>For other hooked functions, the process that the attacker runs is allowed to invoke all operations without limitation. For other processes (not run by attacker), it returns an <i>ENOENT = No such file or directory</i> error code if a hidden file is accessed.</p>
<p>Further searching revealed that the threat actor reuses the publicly available <a href="https://github.com/unix-thrust/beurk" target="_blank">beurk</a> rootkit, but with several custom modifications.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit/fig%206%20-%20kinsing11242020.png" alt="beurk rootkit repository"/>
		
   		<figcaption>Figure 6. The beurk rootkit repository</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div class="responsive-table-wrap">
			<h1><span class="body-subhead-title">Conclusion</span></h1>
<p>Kinsing is still highly active and continually evolving. Adding the rootkit component hides the presence of malicious components in the infected system. Reusing publicly available source codes presents a popular option for malicious actors, giving them an easier way to add new functions to their malware.</p>
<p><span class="body-subhead-title">Indicators of Compromise (IOCs)</span></p>
<table cellpadding="1" cellspacing="0" border="1">
<tbody><tr><td><b>Hash (SHA-256)</b></td>
<td> </td>
<td><b>Detection name</b></td>
</tr><tr><td>4CE4F3EA11D62518C3C6248FB827E72628A0750AD4C4BD7E69D62C444F5FDB04</td>
<td>Installation script</td>
<td>Trojan.SH.KINSING.E</td>
</tr><tr><td>D5F089EA1B007AE0796D7D44B5A282C20195B074FEEBC113D7A1FD0D61C8C496</td>
<td>Installation script</td>
<td>Trojan.SH.KINSING.E</td>
</tr><tr><td>000BEF7B8B56BDB86606A03C6EC3887EC0F1EB5DC507F60144656C8046D89B2E </td>
<td>Installation script</td>
<td> </td>
</tr><tr><td>7F44FE4766AEB78B65EE014864E49A76D2E61B2198A356F23060F48A5F057411</td>
<td>Installation script</td>
<td> </td>
</tr><tr><td>1635095EA081FBF1B7C2CF3A88C610D0BCCBFD5B470F1E49AA093B086D21FFC8</td>
<td>Spreader script</td>
<td>Trojan.SH.KINSING.E</td>
</tr><tr><td>C38C21120D8C17688F9AEB2AF5BDAFB6B75E1D2673B025B720E50232F888808A</td>
<td>Rootkit</td>
<td>Trojan.Linux.KINSING.AA</td>
</tr><tr><td>CCFDA7239B2AC474E42AD324519F805171E7C69D37AD29265C0A8BA54096033D</td>
<td>Kinsing malware</td>
<td>Coinminer.Linux.MALBTC.AMX</td>
</tr></tbody></table>

		</div>
	

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p><b>C&amp;C IP addresses:</b></p>
<ul>
<li><span class="rte-red-bullet">45[.]129[.]2[.]107</span></li>
<li><span class="rte-red-bullet">45[.]156[.]23[.]210</span></li>
<li><span class="rte-red-bullet">45[.]142[.]214[.]48</span></li>
<li><span class="rte-red-bullet">93[.]189[.]46[.]81</span></li>
<li><span class="rte-red-bullet">95[.]213[.]224[.]21</span></li>
<li><span class="rte-red-bullet">95[.]181[.]179[.]88</span></li>
<li><span class="rte-red-bullet">176[.]96[.]238[.]176</span></li>
<li><span class="rte-red-bullet">185[.]156[.]179[.]225</span></li>
<li><span class="rte-red-bullet">185[.]221[.]154[.]208</span></li>
<li><span class="rte-red-bullet">185[.]237[.]224[.]182</span></li>
<li><span class="rte-red-bullet">185[.]154[.]53[.]140</span></li>
<li><span class="rte-red-bullet">185[.]87[.]48[.]183</span></li>
<li><span class="rte-red-bullet">193[.]164[.]150[.]99</span></li>
<li><span class="rte-red-bullet">194[.]87[.]102[.]77</span></li>
<li><span class="rte-red-bullet">212[.]22[.]77[.]79</span></li>
</ul>

		</div>
	

</div>


</div>
            <section class="tag--list">
	<div class="tag--list-title">Tags</div>
	<div class="tag--list-tags">
		<a href="/en_ca/research.html?category=trend-micro-research:medium/article" class="tag--list-anchor">Articles, News, Reports</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_ca/research.html?category=trend-micro-research:threats/malware" class="tag--list-anchor">Malware</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_ca/research.html?category=trend-micro-research:article-type/research" class="tag--list-anchor">Research</a>
		
	</div>
</section>

        </main>

        <sidebar class="sidebar--left col-xs-12 col-md-2 col-md-pull-8">
            


<h3 class="article-authors__title">
	
		Authors
	
</h3>

<!-- /* Show Trend Micro if we don't have any authors for this article */ -->


<ul class="article-authors__list">
	<li class="article-authors__list-items">
		
		<div class="article-authors__wrapper" role="contentinfo authors profile">
			
			
				<p class="article-authors__list-items__name">Jaromir Horejsi</p>
			
			<p class="article-authors__list-items__position">Threat Researcher</p>
		</div>
	</li>

	<li class="article-authors__list-items">
		
		<div class="article-authors__wrapper" role="contentinfo authors profile">
			
			
				<p class="article-authors__list-items__name">David Fiser</p>
			
			<p class="article-authors__list-items__position">Threat Researcher</p>
		</div>
	</li>
</ul>

<div class="article-authors__btn-wrapper" role="button">
	<a class="article-authors__button " href="mailto:tm_research@trendmicro.com" target="target" id="article-authors-contact-us-button">
		Contact Us
	</a>
</div>

<div class="article-authors__btn-wrapper subscribe-wrapper" role="button">
	<a class="article-authors__button subscribe bs-modal" href="https://www.trendmicro.com/subscription" data-modal-title="Subscribe" target="target">
		Subscribe
	</a>
</div>
	

    

        </sidebar>

        <sidebar class="sidebar--right col-xs-12 col-md-2">
            <div class="sidebar--wrapper" role="contentinfo sidebar">
                <div class="row-1" role="contentinfo related articles">
                    
	
    


	<div class="related--articles" role="contentinfo related articles">
		<h3 class="related--articles-title">Related Articles</h3>
		 <ul class="related--articles-items">
			<li class="related--articles-item">
				<a class="related--articles-item-anchor" href="/en_ca/research/21/l/examining-log4j-vulnerabilities-in-connected-cars.html">
					Examining Log4j Vulnerabilities in Connected Cars and Charging Stations
				</a> 
			</li>
		
			<li class="related--articles-item">
				<a class="related--articles-item-anchor" href="/en_ca/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html">
					Patch Now: Apache Log4j Vulnerability Called Log4Shell Actively Exploited
				</a> 
			</li>
		
			<li class="related--articles-item">
				<a class="related--articles-item-anchor" href="/en_ca/research/21/l/log4j.html">
					What to Do About Log4j
				</a> 
			</li>
		</ul>
	</div>

	<div class="archived--link">
		<div class="archived--link-text">
			<a href="/en_ca/research.html">
				See all articles
			</a>
		</div>

		<div class="archived--link-icon">
			<a href="/en_ca/research.html">
				<span class="icon-chevron-right"></span>
			</a>
		</div>
	</div>


                </div>
            </div>
        </sidebar>
    </article>
</div></div>

    
</div>
</div>
<div class="footer">

<footer class="container-fluid container-fluid--hybrid">
	<div class="footer"><nav class="links-row">
	<div class="inner-container">
		<ul class="links-col">
			<li>
				<a href="/en_ca/business/get-info-form.html">
					Contact Sales
				</a>
			</li>
		
			<li>
				<a href="/en_ca/contact.html">
					Locations
				</a>
			</li>
		
			<li>
				<a href="/en_ca/about/careers.html">
					Careers
				</a>
			</li>
		
			<li>
				<a href="https://newsroom.trendmicro.com/" target="_blank" rel="noopener noreferrer">
					Newsroom
				</a>
			</li>
		
			<li>
				<a href="/en_ca/about/trust-center.html">
					Trust Center
				</a>
			</li>
		
			<li>
				<a href="/en_ca/about/trust-center/privacy.html">
					Privacy
				</a>
			</li>
		
			<li>
				<a href="/en_ca/about/legal/accessibility-policy.html">
					Accessibility
				</a>
			</li>
		
			<li>
				<a href="https://success.trendmicro.com/technical-support" target="_blank" rel="noopener noreferrer">
					Support
				</a>
			</li>
		
			<li>
				<a href="/en_ca/business/sitemap.html">
					Site map
				</a>
			</li>
		</ul>
	</div>
</nav>
<div class="social-copyright-row">
	<div class="inner-container">
		<div class="row">
			<ul class="col-md-6 social-media-links">
				<li>
					<a href="https://www.linkedin.com/company/trend-micro" class="icon-" target="_blank" rel="noopener noreferrer">
						linkedin
					</a>
				</li>
			
				<li>
					<a href="https://twitter.com/trendmicro" class="icon-" target="_blank" rel="noopener noreferrer">
						twitter
					</a>
				</li>
			
				<li>
					<a href="https://www.facebook.com/Trendmicro/" class="icon-" target="_blank" rel="noopener noreferrer">
						facebook
					</a>
				</li>
			
				<li>
					<a href="https://www.youtube.com/user/TrendMicroInc" class="icon-" target="_blank" rel="noopener noreferrer">
						youtube
					</a>
				</li>
			
				<li>
					<a href="https://www.instagram.com/trendmicro/" class="icon-" target="_blank" rel="noopener noreferrer">
						instagram
					</a>
				</li>
			
				<li>
					<a href="https://feeds.feedburner.com/TrendMicroSimplySecurity" class="icon-" target="_blank" rel="noopener noreferrer">
						rss
					</a>
				</li>
			</ul>
			<div class="col-md-6">
				<span class="copyright">Copyright © 2021 Trend Micro Incorporated. All rights reserved.</span>
			</div>
		</div>
	</div>
</div>
</div>
</footer>
</div>


			

<!-- /* Core functionality javascripts, absolute URL to leverage Akamai CDN */ -->
<script src="https://www.trendmicro.com/content/dam/trendmicro/global/core-library/sly.min.js"></script>
<script src="https://www.trendmicro.com/content/dam/trendmicro/global/core-library/jwplayer.js"></script>

<script type="text/javascript" src="https://www.youtube.com/iframe_api"></script>

            
    
    
<script type="text/javascript" src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch.min.js"></script>



    


    

    

    
    

            

            
			<!--For Modal-start-->
			<div class="modal-wrap"></div>
			<div class="jwPlayerString hidden">
				<span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk</span>
			</div>
			<!--For Modal-end-->
        

		<!-- Go to www.addthis.com/dashboard to customize your tools -->
		<script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-57bc9d0c3028a052"></script>		
    </body>
</html>
